
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>10.6. Key derivation &#8212; PSA Crypto API 1.1.0 documentation</title>
    <link rel="stylesheet" href="../../_static/alabaster.css" type="text/css" />
    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../../',
        VERSION:     '1.1.0',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  false,
        SOURCELINK_SUFFIX: '.txt'
      };
    </script>
    <script type="text/javascript" src="../../_static/jquery.js"></script>
    <script type="text/javascript" src="../../_static/underscore.js"></script>
    <script type="text/javascript" src="../../_static/doctools.js"></script>
    <link rel="author" title="About these documents" href="../../about.html" />
    <link rel="index" title="Index" href="../../genindex.html" />
    <link rel="search" title="Search" href="../../search.html" />
    <link rel="next" title="10.7. Asymmetric signature" href="sign.html" />
    <link rel="prev" title="10.5. Authenticated encryption with associated data (AEAD)" href="aead.html" />
   
  <link rel="stylesheet" href="../../_static/custom.css" type="text/css" />
  
  <meta name="viewport" content="width=device-width, initial-scale=0.9, maximum-scale=0.9" />

  </head>
  <body>
  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="key-derivation">
<span id="kdf"></span><h1>10.6. Key derivation</h1>
<p>A key derivation encodes a deterministic method to generate a finite stream of bytes. This data stream is computed by the cryptoprocessor and extracted in chunks. If two key derivation operations are constructed with the same parameters, then they produce the same output.</p>
<p>A key derivation consists of two phases:</p>
<ol class="arabic simple">
<li>Input collection. This is sometimes known as <em>extraction</em>: the operation “extracts” information from the inputs to generate a pseudorandom intermediate secret value.</li>
<li>Output generation. This is sometimes known as <em>expansion</em>: the operation “expands” the intermediate secret value to the desired output length.</li>
</ol>
<p>The specification defines a <a class="reference internal" href="../../overview/functionality.html#multi-part-operations"><span class="std std-ref">multi-part operation</span></a> API for key derivation that allows:</p>
<ul class="simple">
<li>Multiple key and non-key outputs to be produced from a single derivation operation object.</li>
<li>Key and non-key outputs can be extracted from the key derivation object, or compared with existing key and non-key values.</li>
<li>Algorithms that require high-entropy secret inputs. For example <a class="reference internal" href="#c.PSA_ALG_HKDF" title="PSA_ALG_HKDF"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ALG_HKDF</span></code></a>.</li>
<li>Algorithms that work with low-entropy secret inputs, or passwords. For example <a class="reference internal" href="#c.PSA_ALG_PBKDF2_HMAC" title="PSA_ALG_PBKDF2_HMAC"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ALG_PBKDF2_HMAC()</span></code></a>.</li>
</ul>
<p>An implementation with <a class="reference internal" href="../../about.html#term-isolation"><span class="term">isolation</span></a> has the following properties:</p>
<ul class="simple">
<li>The intermediate state of the key derivation is not visible to the caller.</li>
<li>If an output of the derivation is a non-exportable key, then this key cannot be recovered outside the isolation boundary.</li>
<li>If an output of the derivation is compared using <a class="reference internal" href="#c.psa_key_derivation_verify_bytes" title="psa_key_derivation_verify_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_verify_bytes()</span></code></a> or <a class="reference internal" href="#c.psa_key_derivation_verify_key" title="psa_key_derivation_verify_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_verify_key()</span></code></a>, then the output is not visible to the caller.</li>
</ul>
<p>Applications use the <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_key_derivation_operation_t</span></code></a> type to create key derivation operations. The operation object is used as follows:</p>
<ol class="arabic">
<li><p class="first">Initialize a <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_key_derivation_operation_t</span></code></a> object to zero or to <a class="reference internal" href="#c.PSA_KEY_DERIVATION_OPERATION_INIT" title="PSA_KEY_DERIVATION_OPERATION_INIT"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_OPERATION_INIT</span></code></a>.</p>
</li>
<li><p class="first">Call <a class="reference internal" href="#c.psa_key_derivation_setup" title="psa_key_derivation_setup"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_setup()</span></code></a> to select a key derivation algorithm.</p>
</li>
<li><p class="first">Call the functions <a class="reference internal" href="#c.psa_key_derivation_input_key" title="psa_key_derivation_input_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_key()</span></code></a> or <a class="reference internal" href="ka.html#c.psa_key_derivation_key_agreement" title="psa_key_derivation_key_agreement"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_key_agreement()</span></code></a> to provide the secret inputs, and <a class="reference internal" href="#c.psa_key_derivation_input_bytes" title="psa_key_derivation_input_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_bytes()</span></code></a> or <a class="reference internal" href="#c.psa_key_derivation_input_integer" title="psa_key_derivation_input_integer"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_integer()</span></code></a> to provide the non-secret inputs, to the key derivation algorithm. Many key derivation algorithms take multiple inputs; the <code class="docutils literal"><span class="pre">step</span></code> parameter to these functions indicates which input is being provided. The documentation for each key derivation algorithm describes the expected inputs for that algorithm and in what order to pass them.</p>
</li>
<li><p class="first">Optionally, call <a class="reference internal" href="#c.psa_key_derivation_set_capacity" title="psa_key_derivation_set_capacity"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_set_capacity()</span></code></a> to set a limit on the amount of data that can be output from the key derivation operation.</p>
</li>
<li><p class="first">Call an output or verification function:</p>
<ul class="simple">
<li><a class="reference internal" href="#c.psa_key_derivation_output_key" title="psa_key_derivation_output_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_key()</span></code></a> to create a derived key.</li>
<li><a class="reference internal" href="#c.psa_key_derivation_output_bytes" title="psa_key_derivation_output_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_bytes()</span></code></a> to export the derived data.</li>
<li><a class="reference internal" href="#c.psa_key_derivation_verify_key" title="psa_key_derivation_verify_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_verify_key()</span></code></a> to compare a derived key with an existing key value.</li>
<li><a class="reference internal" href="#c.psa_key_derivation_verify_bytes" title="psa_key_derivation_verify_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_verify_bytes()</span></code></a> to compare derived data with a buffer.</li>
</ul>
<p>These functions can be called multiple times to read successive output from the key derivation, until the stream is exhausted when its capacity has been reached.</p>
</li>
<li><p class="first">Key derivation does not finish in the same way as other multi-part operations. Call <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a> to release the key derivation operation memory when the object is no longer required.</p>
</li>
</ol>
<p>To recover from an error, call <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a> to release the key derivation operation memory.</p>
<p>A key derivation operation cannot be rewound. Once a part of the stream has been output, it cannot be output again. This ensures that the same part of the output will not be used for different purposes.</p>
<div class="section" id="key-derivation-algorithms">
<span id="id1"></span><h2>10.6.1. Key derivation algorithms</h2>
<div class="section" id="PSA_ALG_HKDF">
<span id="c.PSA_ALG_HKDF"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_HKDF</span></code> (macro)</h3>
<p>Macro to build an HKDF algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_HKDF" title="PSA_ALG_HKDF">PSA_ALG_HKDF</a>(hash_alg) <em><a class="reference internal" href="../../overview/implementation.html#specification-defined-value"><span class="std std-ref">/* specification-defined value */</span></a></em>
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">hash_alg</span></code></dt>
<dd>A hash algorithm: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a> such that <a class="reference internal" href="algorithms.html#c.PSA_ALG_IS_HASH" title="PSA_ALG_IS_HASH"><code class="docutils literal"><span class="pre">PSA_ALG_IS_HASH</span></code></a><code class="docutils literal"><span class="pre">(</span></code><code class="docutils literal"><span class="pre">hash_alg</span></code><code class="docutils literal"><span class="pre">)</span></code> is true.</dd>
</dl>
<p class="rubric">Returns</p>
<p>The corresponding HKDF algorithm. For example, <a class="reference internal" href="#c.PSA_ALG_HKDF" title="PSA_ALG_HKDF"><code class="docutils literal"><span class="pre">PSA_ALG_HKDF</span></code></a><code class="docutils literal"><span class="pre">(</span></code><a class="reference internal" href="hashes.html#c.PSA_ALG_SHA_256" title="PSA_ALG_SHA_256"><code class="docutils literal"><span class="pre">PSA_ALG_SHA_256</span></code></a><code class="docutils literal"><span class="pre">)</span></code> is HKDF using HMAC-SHA-256.</p>
<p>Unspecified if <code class="docutils literal"><span class="pre">hash_alg</span></code> is not a supported hash algorithm.</p>
<p class="rubric">Description</p>
<p>This is the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) specified by <span><em>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</em> <a class="reference internal" href="../../about.html#citation-rfc5869"><span class="cite">[RFC5869]</span></a></span>.</p>
<p>This key derivation algorithm uses the following inputs:</p>
<ul class="simple">
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SALT" title="PSA_KEY_DERIVATION_INPUT_SALT"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SALT</span></code></a> is the salt used in the “extract” step. It is optional; if omitted, the derivation uses an empty salt.</li>
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SECRET" title="PSA_KEY_DERIVATION_INPUT_SECRET"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SECRET</span></code></a> is the secret key used in the “extract” step.</li>
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_INFO" title="PSA_KEY_DERIVATION_INPUT_INFO"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_INFO</span></code></a> is the info string used in the “expand” step.</li>
</ul>
<p>If <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SALT" title="PSA_KEY_DERIVATION_INPUT_SALT"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SALT</span></code></a> is provided, it must be before <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SECRET" title="PSA_KEY_DERIVATION_INPUT_SECRET"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SECRET</span></code></a>. <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_INFO" title="PSA_KEY_DERIVATION_INPUT_INFO"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_INFO</span></code></a> can be provided at any time after setup and before starting to generate output.</p>
<p>Each input may only be passed once.</p>
<p class="rubric">Compatible key types</p>
<div class="line-block">
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DERIVE" title="PSA_KEY_TYPE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DERIVE</span></code></a> (for the secret key)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a> (for the other inputs)</div>
</div>
</div>
<div class="section" id="PSA_ALG_TLS12_PRF">
<span id="c.PSA_ALG_TLS12_PRF"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_TLS12_PRF</span></code> (macro)</h3>
<p>Macro to build a TLS-1.2 PRF algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_TLS12_PRF" title="PSA_ALG_TLS12_PRF">PSA_ALG_TLS12_PRF</a>(hash_alg) <em><a class="reference internal" href="../../overview/implementation.html#specification-defined-value"><span class="std std-ref">/* specification-defined value */</span></a></em>
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">hash_alg</span></code></dt>
<dd>A hash algorithm: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a> such that <a class="reference internal" href="algorithms.html#c.PSA_ALG_IS_HASH" title="PSA_ALG_IS_HASH"><code class="docutils literal"><span class="pre">PSA_ALG_IS_HASH</span></code></a><code class="docutils literal"><span class="pre">(</span></code><code class="docutils literal"><span class="pre">hash_alg</span></code><code class="docutils literal"><span class="pre">)</span></code> is true.</dd>
</dl>
<p class="rubric">Returns</p>
<p>The corresponding TLS-1.2 PRF algorithm. For example, <a class="reference internal" href="#c.PSA_ALG_TLS12_PRF" title="PSA_ALG_TLS12_PRF"><code class="docutils literal"><span class="pre">PSA_ALG_TLS12_PRF</span></code></a><code class="docutils literal"><span class="pre">(</span></code><a class="reference internal" href="hashes.html#c.PSA_ALG_SHA_256" title="PSA_ALG_SHA_256"><code class="docutils literal"><span class="pre">PSA_ALG_SHA_256</span></code></a><code class="docutils literal"><span class="pre">)</span></code> represents the TLS 1.2 PRF using HMAC-SHA-256.</p>
<p>Unspecified if <code class="docutils literal"><span class="pre">hash_alg</span></code> is not a supported hash algorithm.</p>
<p class="rubric">Description</p>
<p>TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule, specified in <span><em>The Transport Layer Security (TLS) Protocol Version 1.2</em> <a class="reference internal" href="../../about.html#citation-rfc5246"><span class="cite">[RFC5246]</span></a></span> <a class="reference external" href="https://tools.ietf.org/html/rfc5246.html#section-5">§5</a>. It is based on HMAC and can be used with either SHA-256 or SHA-384.</p>
<p>This key derivation algorithm uses the following inputs, which must be passed in the order given here:</p>
<ul class="simple">
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SEED" title="PSA_KEY_DERIVATION_INPUT_SEED"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SEED</span></code></a> is the seed.</li>
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SECRET" title="PSA_KEY_DERIVATION_INPUT_SECRET"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SECRET</span></code></a> is the secret key.</li>
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_LABEL" title="PSA_KEY_DERIVATION_INPUT_LABEL"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_LABEL</span></code></a> is the label.</li>
</ul>
<p>Each input may only be passed once.</p>
<p>For the application to TLS-1.2 key expansion:</p>
<ul class="simple">
<li>The seed is the concatenation of <code class="docutils literal"><span class="pre">ServerHello.Random</span> <span class="pre">+</span> <span class="pre">ClientHello.Random</span></code>.</li>
<li>The label is <code class="docutils literal"><span class="pre">&quot;key</span> <span class="pre">expansion&quot;</span></code>.</li>
</ul>
<p class="rubric">Compatible key types</p>
<div class="line-block">
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DERIVE" title="PSA_KEY_TYPE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DERIVE</span></code></a> (for the secret key)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a> (for the other inputs)</div>
</div>
</div>
<div class="section" id="PSA_ALG_TLS12_PSK_TO_MS">
<span id="c.PSA_ALG_TLS12_PSK_TO_MS"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_TLS12_PSK_TO_MS</span></code> (macro)</h3>
<p>Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_TLS12_PSK_TO_MS" title="PSA_ALG_TLS12_PSK_TO_MS">PSA_ALG_TLS12_PSK_TO_MS</a>(hash_alg) <em><a class="reference internal" href="../../overview/implementation.html#specification-defined-value"><span class="std std-ref">/* specification-defined value */</span></a></em>
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">hash_alg</span></code></dt>
<dd>A hash algorithm: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a> such that <a class="reference internal" href="algorithms.html#c.PSA_ALG_IS_HASH" title="PSA_ALG_IS_HASH"><code class="docutils literal"><span class="pre">PSA_ALG_IS_HASH</span></code></a><code class="docutils literal"><span class="pre">(</span></code><code class="docutils literal"><span class="pre">hash_alg</span></code><code class="docutils literal"><span class="pre">)</span></code> is true.</dd>
</dl>
<p class="rubric">Returns</p>
<p>The corresponding TLS-1.2 PSK to MS algorithm. For example, <a class="reference internal" href="#c.PSA_ALG_TLS12_PSK_TO_MS" title="PSA_ALG_TLS12_PSK_TO_MS"><code class="docutils literal"><span class="pre">PSA_ALG_TLS12_PSK_TO_MS</span></code></a><code class="docutils literal"><span class="pre">(</span></code><a class="reference internal" href="hashes.html#c.PSA_ALG_SHA_256" title="PSA_ALG_SHA_256"><code class="docutils literal"><span class="pre">PSA_ALG_SHA_256</span></code></a><code class="docutils literal"><span class="pre">)</span></code> represents the TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256.</p>
<p>Unspecified if <code class="docutils literal"><span class="pre">hash_alg</span></code> is not a supported hash algorithm.</p>
<p class="rubric">Description</p>
<p>In a pure-PSK handshake in TLS 1.2, the master secret (MS) is derived from the pre-shared key (PSK) through the application of padding (<span><em>Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)</em> <a class="reference internal" href="../../about.html#citation-rfc4279"><span class="cite">[RFC4279]</span></a></span> <a class="reference external" href="https://tools.ietf.org/html/rfc4279.html#section-2">§2</a>) and the TLS-1.2 PRF (<span><em>The Transport Layer Security (TLS) Protocol Version 1.2</em> <a class="reference internal" href="../../about.html#citation-rfc5246"><span class="cite">[RFC5246]</span></a></span> <a class="reference external" href="https://tools.ietf.org/html/rfc5246.html#section-5">§5</a>). The latter is based on HMAC and can be used with either SHA-256 or SHA-384.</p>
<p>This key derivation algorithm uses the following inputs, which must be passed in the order given here:</p>
<ul class="simple">
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SEED" title="PSA_KEY_DERIVATION_INPUT_SEED"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SEED</span></code></a> is the seed.</li>
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SECRET" title="PSA_KEY_DERIVATION_INPUT_SECRET"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SECRET</span></code></a> is the PSK. The PSK must not be larger than <a class="reference internal" href="#c.PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE" title="PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE</span></code></a>.</li>
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_LABEL" title="PSA_KEY_DERIVATION_INPUT_LABEL"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_LABEL</span></code></a> is the label.</li>
</ul>
<p>Each input may only be passed once.</p>
<p>For the application to TLS-1.2:</p>
<ul class="simple">
<li>The seed, which is forwarded to the TLS-1.2 PRF, is the concatenation of the <code class="docutils literal"><span class="pre">ClientHello.Random</span> <span class="pre">+</span> <span class="pre">ServerHello.Random</span></code>.</li>
<li>The label is <code class="docutils literal"><span class="pre">&quot;master</span> <span class="pre">secret&quot;</span></code> or <code class="docutils literal"><span class="pre">&quot;extended</span> <span class="pre">master</span> <span class="pre">secret&quot;</span></code>.</li>
</ul>
<p class="rubric">Compatible key types</p>
<div class="line-block">
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DERIVE" title="PSA_KEY_TYPE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DERIVE</span></code></a> (for the PSK)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a> (for the other inputs)</div>
</div>
</div>
<div class="section" id="PSA_ALG_PBKDF2_HMAC">
<span id="c.PSA_ALG_PBKDF2_HMAC"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_PBKDF2_HMAC</span></code> (macro)</h3>
<p>Macro to build a PBKDF2-HMAC password-hashing or key-stretching algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_PBKDF2_HMAC" title="PSA_ALG_PBKDF2_HMAC">PSA_ALG_PBKDF2_HMAC</a>(hash_alg) <em><a class="reference internal" href="../../overview/implementation.html#specification-defined-value"><span class="std std-ref">/* specification-defined value */</span></a></em>
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">hash_alg</span></code></dt>
<dd>A hash algorithm: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a> such that <a class="reference internal" href="algorithms.html#c.PSA_ALG_IS_HASH" title="PSA_ALG_IS_HASH"><code class="docutils literal"><span class="pre">PSA_ALG_IS_HASH</span></code></a><code class="docutils literal"><span class="pre">(</span></code><code class="docutils literal"><span class="pre">hash_alg</span></code><code class="docutils literal"><span class="pre">)</span></code> is true.</dd>
</dl>
<p class="rubric">Returns</p>
<p>The corresponding PBKDF2-HMAC-XXX algorithm. For example, <a class="reference internal" href="#c.PSA_ALG_PBKDF2_HMAC" title="PSA_ALG_PBKDF2_HMAC"><code class="docutils literal"><span class="pre">PSA_ALG_PBKDF2_HMAC</span></code></a><code class="docutils literal"><span class="pre">(</span></code><a class="reference internal" href="hashes.html#c.PSA_ALG_SHA_256" title="PSA_ALG_SHA_256"><code class="docutils literal"><span class="pre">PSA_ALG_SHA_256</span></code></a><code class="docutils literal"><span class="pre">)</span></code> is the algorithm identifier for PBKDF2-HMAC-SHA-256.</p>
<p>Unspecified if <code class="docutils literal"><span class="pre">hash_alg</span></code> is not a supported hash algorithm.</p>
<p class="rubric">Description</p>
<p>PBKDF2 is specified by <span><em>PKCS #5: Password-Based Cryptography Specification Version 2.1</em> <a class="reference internal" href="../../about.html#citation-rfc8018"><span class="cite">[RFC8018]</span></a></span> <a class="reference external" href="https://tools.ietf.org/html/rfc8018.html#section-5.2">§5.2</a>. This macro constructs a PBKDF2 algorithm that uses a pseudo-random function based on HMAC with the specified hash.</p>
<p>This key derivation algorithm uses the following inputs, which must be provided in the following order:</p>
<ul class="simple">
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_COST" title="PSA_KEY_DERIVATION_INPUT_COST"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_COST</span></code></a> is the iteration count.
This input step must be used exactly once.</li>
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SALT" title="PSA_KEY_DERIVATION_INPUT_SALT"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SALT</span></code></a> is the salt.
This input step must be used one or more times; if used several times, the inputs will be concatenated.
This can be used to build the final salt from multiple sources, both public and secret (also known as pepper).</li>
<li><a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_PASSWORD" title="PSA_KEY_DERIVATION_INPUT_PASSWORD"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_PASSWORD</span></code></a> is the password to be hashed.
This input step must be used exactly once.</li>
</ul>
<p class="rubric">Compatible key types</p>
<div class="line-block">
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DERIVE" title="PSA_KEY_TYPE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DERIVE</span></code></a> (for password input)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD" title="PSA_KEY_TYPE_PASSWORD"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD</span></code></a> (for password input)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PEPPER" title="PSA_KEY_TYPE_PEPPER"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PEPPER</span></code></a> (for salt input)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a> (for salt input)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD_HASH" title="PSA_KEY_TYPE_PASSWORD_HASH"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD_HASH</span></code></a> (for key verification)</div>
</div>
</div>
<div class="section" id="PSA_ALG_PBKDF2_AES_CMAC_PRF_128">
<span id="c.PSA_ALG_PBKDF2_AES_CMAC_PRF_128"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_PBKDF2_AES_CMAC_PRF_128</span></code> (macro)</h3>
<p>The PBKDF2-AES-CMAC-PRF-128 password-hashing or key-stretching algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_PBKDF2_AES_CMAC_PRF_128" title="PSA_ALG_PBKDF2_AES_CMAC_PRF_128">PSA_ALG_PBKDF2_AES_CMAC_PRF_128</a> ((<a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t">psa_algorithm_t</a>)0x08800200)
</pre>
<p>PBKDF2 is specified by <span><em>PKCS #5: Password-Based Cryptography Specification Version 2.1</em> <a class="reference internal" href="../../about.html#citation-rfc8018"><span class="cite">[RFC8018]</span></a></span> <a class="reference external" href="https://tools.ietf.org/html/rfc8018.html#section-5.2">§5.2</a>. This algorithm specifies the PBKDF2 algorithm using the AES-CMAC-PRF-128 pseudo-random function specified by <a class="reference internal" href="../../about.html#citation-rfc4615"><span class="cite">[RFC4615]</span></a></p>
<p>This key derivation algorithm uses the same inputs as <a class="reference internal" href="#c.PSA_ALG_PBKDF2_HMAC" title="PSA_ALG_PBKDF2_HMAC"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ALG_PBKDF2_HMAC()</span></code></a> with the same constraints.</p>
<p class="rubric">Compatible key types</p>
<div class="line-block">
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DERIVE" title="PSA_KEY_TYPE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DERIVE</span></code></a> (for password input)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD" title="PSA_KEY_TYPE_PASSWORD"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD</span></code></a> (for password input)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PEPPER" title="PSA_KEY_TYPE_PEPPER"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PEPPER</span></code></a> (for salt input)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a> (for salt input)</div>
<div class="line"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD_HASH" title="PSA_KEY_TYPE_PASSWORD_HASH"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD_HASH</span></code></a> (for key verification)</div>
</div>
</div>
</div>
<div class="section" id="input-step-types">
<h2>10.6.2. Input step types</h2>
<div class="section" id="psa_key_derivation_step_t">
<span id="c.psa_key_derivation_step_t"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_step_t</span></code> (type)</h3>
<p>Encoding of the step of a key derivation.</p>
<pre class="literal-block">
typedef uint16_t <a class="reference internal" href="#c.psa_key_derivation_step_t" title="psa_key_derivation_step_t">psa_key_derivation_step_t</a>;
</pre>
</div>
<div class="section" id="PSA_KEY_DERIVATION_INPUT_SECRET">
<span id="c.PSA_KEY_DERIVATION_INPUT_SECRET"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SECRET</span></code> (macro)</h3>
<p>A high-entropy secret input for key derivation.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SECRET" title="PSA_KEY_DERIVATION_INPUT_SECRET">PSA_KEY_DERIVATION_INPUT_SECRET</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>This is typically a key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DERIVE" title="PSA_KEY_TYPE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DERIVE</span></code></a> passed to <a class="reference internal" href="#c.psa_key_derivation_input_key" title="psa_key_derivation_input_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_key()</span></code></a>, or the shared secret resulting from a key agreement obtained via <a class="reference internal" href="ka.html#c.psa_key_derivation_key_agreement" title="psa_key_derivation_key_agreement"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_key_agreement()</span></code></a>.</p>
<p>The secret can also be a direct input passed to <a class="reference internal" href="#c.psa_key_derivation_input_bytes" title="psa_key_derivation_input_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_bytes()</span></code></a>. In this case, the derivation operation cannot be used to derive keys: the operation will not allow a call to <a class="reference internal" href="#c.psa_key_derivation_output_key" title="psa_key_derivation_output_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_key()</span></code></a>.</p>
</div>
<div class="section" id="PSA_KEY_DERIVATION_INPUT_PASSWORD">
<span id="c.PSA_KEY_DERIVATION_INPUT_PASSWORD"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_PASSWORD</span></code> (macro)</h3>
<p>A low-entropy secret input for password hashing or key stretching.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_PASSWORD" title="PSA_KEY_DERIVATION_INPUT_PASSWORD">PSA_KEY_DERIVATION_INPUT_PASSWORD</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>This is usually a key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD" title="PSA_KEY_TYPE_PASSWORD"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD</span></code></a> passed to <a class="reference internal" href="#c.psa_key_derivation_input_key" title="psa_key_derivation_input_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_key()</span></code></a> or a direct input passed to <a class="reference internal" href="#c.psa_key_derivation_input_bytes" title="psa_key_derivation_input_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_bytes()</span></code></a> that is a password or passphrase. It can also be high-entropy secret, for example, a key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DERIVE" title="PSA_KEY_TYPE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DERIVE</span></code></a>, or the shared secret resulting from a key agreement.</p>
<p>If the secret is a direct input, the derivation operation cannot be used to derive keys: the operation will not allow a call to <a class="reference internal" href="#c.psa_key_derivation_output_key" title="psa_key_derivation_output_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_key()</span></code></a>.</p>
</div>
<div class="section" id="PSA_KEY_DERIVATION_INPUT_LABEL">
<span id="c.PSA_KEY_DERIVATION_INPUT_LABEL"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_LABEL</span></code> (macro)</h3>
<p>A label for key derivation.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_LABEL" title="PSA_KEY_DERIVATION_INPUT_LABEL">PSA_KEY_DERIVATION_INPUT_LABEL</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>This is typically a direct input. It can also be a key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a>.</p>
</div>
<div class="section" id="PSA_KEY_DERIVATION_INPUT_CONTEXT">
<span id="c.PSA_KEY_DERIVATION_INPUT_CONTEXT"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_CONTEXT</span></code> (macro)</h3>
<p>A context for key derivation.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_CONTEXT" title="PSA_KEY_DERIVATION_INPUT_CONTEXT">PSA_KEY_DERIVATION_INPUT_CONTEXT</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>This is typically a direct input. It can also be a key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a>.</p>
</div>
<div class="section" id="PSA_KEY_DERIVATION_INPUT_SALT">
<span id="c.PSA_KEY_DERIVATION_INPUT_SALT"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SALT</span></code> (macro)</h3>
<p>A salt for key derivation.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SALT" title="PSA_KEY_DERIVATION_INPUT_SALT">PSA_KEY_DERIVATION_INPUT_SALT</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>This is typically a direct input. It can also be a key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a> or <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PEPPER" title="PSA_KEY_TYPE_PEPPER"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PEPPER</span></code></a>.</p>
</div>
<div class="section" id="PSA_KEY_DERIVATION_INPUT_INFO">
<span id="c.PSA_KEY_DERIVATION_INPUT_INFO"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_INFO</span></code> (macro)</h3>
<p>An information string for key derivation.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_INFO" title="PSA_KEY_DERIVATION_INPUT_INFO">PSA_KEY_DERIVATION_INPUT_INFO</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>This is typically a direct input. It can also be a key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a>.</p>
</div>
<div class="section" id="PSA_KEY_DERIVATION_INPUT_SEED">
<span id="c.PSA_KEY_DERIVATION_INPUT_SEED"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SEED</span></code> (macro)</h3>
<p>A seed for key derivation.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SEED" title="PSA_KEY_DERIVATION_INPUT_SEED">PSA_KEY_DERIVATION_INPUT_SEED</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>This is typically a direct input. It can also be a key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RAW_DATA" title="PSA_KEY_TYPE_RAW_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RAW_DATA</span></code></a>.</p>
</div>
<div class="section" id="PSA_KEY_DERIVATION_INPUT_COST">
<span id="c.PSA_KEY_DERIVATION_INPUT_COST"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_COST</span></code> (macro)</h3>
<p>A cost parameter for password hashing or key stretching.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_COST" title="PSA_KEY_DERIVATION_INPUT_COST">PSA_KEY_DERIVATION_INPUT_COST</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>This must be a direct input, passed to <a class="reference internal" href="#c.psa_key_derivation_input_integer" title="psa_key_derivation_input_integer"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_integer()</span></code></a>.</p>
</div>
</div>
<div class="section" id="key-derivation-functions">
<h2>10.6.3. Key derivation functions</h2>
<div class="section" id="psa_key_derivation_operation_t">
<span id="c.psa_key_derivation_operation_t"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_operation_t</span></code> (type)</h3>
<p>The type of the state object for key derivation operations.</p>
<pre class="literal-block">
typedef <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-type"><span class="std std-ref">/* implementation-defined type */</span></a></em> <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a>;
</pre>
<p>Before calling any function on a key derivation operation object, the application must initialize it by any of the following means:</p>
<ul>
<li><p class="first">Set the object to all-bits-zero, for example:</p>
<pre class="literal-block">
<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> operation;
memset(&amp;operation, 0, sizeof(operation));
</pre>
</li>
<li><p class="first">Initialize the object to logical zero values by declaring the object as static or global without an explicit initializer, for example:</p>
<pre class="literal-block">
static <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> operation;
</pre>
</li>
<li><p class="first">Initialize the object to the initializer <a class="reference internal" href="#c.PSA_KEY_DERIVATION_OPERATION_INIT" title="PSA_KEY_DERIVATION_OPERATION_INIT"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_OPERATION_INIT</span></code></a>, for example:</p>
<pre class="literal-block">
<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> operation = <a class="reference internal" href="#c.PSA_KEY_DERIVATION_OPERATION_INIT" title="PSA_KEY_DERIVATION_OPERATION_INIT">PSA_KEY_DERIVATION_OPERATION_INIT</a>;
</pre>
</li>
<li><p class="first">Assign the result of the function <a class="reference internal" href="#c.psa_key_derivation_operation_init" title="psa_key_derivation_operation_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_operation_init()</span></code></a> to the object, for example:</p>
<pre class="literal-block">
<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> operation;
operation = <a class="reference internal" href="#c.psa_key_derivation_operation_init" title="psa_key_derivation_operation_init">psa_key_derivation_operation_init</a>();
</pre>
</li>
</ul>
<p>This is an implementation-defined type. Applications that make assumptions about the content of this object will result in in implementation-specific behavior, and are non-portable.</p>
</div>
<div class="section" id="PSA_KEY_DERIVATION_OPERATION_INIT">
<span id="c.PSA_KEY_DERIVATION_OPERATION_INIT"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_OPERATION_INIT</span></code> (macro)</h3>
<p>This macro returns a suitable initializer for a key derivation operation object of type <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_key_derivation_operation_t</span></code></a>.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_OPERATION_INIT" title="PSA_KEY_DERIVATION_OPERATION_INIT">PSA_KEY_DERIVATION_OPERATION_INIT</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
</div>
<div class="section" id="psa_key_derivation_operation_init">
<span id="c.psa_key_derivation_operation_init"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_operation_init</span></code> (function)</h3>
<p>Return an initial value for a key derivation operation object.</p>
<pre class="literal-block">
<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> <a class="reference internal" href="#c.psa_key_derivation_operation_init" title="psa_key_derivation_operation_init">psa_key_derivation_operation_init</a>(void);
</pre>
<p class="rubric">Returns: <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t"><code class="docutils literal"><span class="pre">psa_key_derivation_operation_t</span></code></a></p>
</div>
<div class="section" id="psa_key_derivation_setup">
<span id="c.psa_key_derivation_setup"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_setup</span></code> (function)</h3>
<p>Set up a key derivation operation.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_setup" title="psa_key_derivation_setup">psa_key_derivation_setup</a>(<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                      <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t">psa_algorithm_t</a> alg);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The key derivation operation object to set up. It must have been initialized but not set up yet.</dd>
<dt> <code class="docutils literal"><span class="pre">alg</span></code></dt>
<dd><p class="first">The algorithm to compute. This must be one of the following:</p>
<ul class="last simple">
<li>A key derivation algorithm: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a> such that <a class="reference internal" href="algorithms.html#c.PSA_ALG_IS_KEY_DERIVATION" title="PSA_ALG_IS_KEY_DERIVATION"><code class="docutils literal"><span class="pre">PSA_ALG_IS_KEY_DERIVATION</span></code></a><code class="docutils literal"><span class="pre">(</span></code><code class="docutils literal"><span class="pre">alg</span></code><code class="docutils literal"><span class="pre">)</span></code> is true.</li>
<li>A key agreement and derivation algorithm: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a> such that <a class="reference internal" href="algorithms.html#c.PSA_ALG_IS_KEY_AGREEMENT" title="PSA_ALG_IS_KEY_AGREEMENT"><code class="docutils literal"><span class="pre">PSA_ALG_IS_KEY_AGREEMENT</span></code></a><code class="docutils literal"><span class="pre">(</span></code><code class="docutils literal"><span class="pre">alg</span></code><code class="docutils literal"><span class="pre">)</span></code> is true and <a class="reference internal" href="ka.html#c.PSA_ALG_IS_RAW_KEY_AGREEMENT" title="PSA_ALG_IS_RAW_KEY_AGREEMENT"><code class="docutils literal"><span class="pre">PSA_ALG_IS_RAW_KEY_AGREEMENT</span></code></a><code class="docutils literal"><span class="pre">(</span></code><code class="docutils literal"><span class="pre">alg</span></code><code class="docutils literal"><span class="pre">)</span></code> is false.</li>
</ul>
</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid: it must be inactive.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_ARGUMENT" title="PSA_ERROR_INVALID_ARGUMENT"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_ARGUMENT</span></code></a></dt>
<dd><code class="docutils literal"><span class="pre">alg</span></code> is neither a key derivation algorithm, nor a key agreement and derivation algorithm.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_SUPPORTED" title="PSA_ERROR_NOT_SUPPORTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_SUPPORTED</span></code></a></dt>
<dd><code class="docutils literal"><span class="pre">alg</span></code> is not supported or is not a key derivation algorithm, or a key agreement and derivation algorithm.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_MEMORY" title="PSA_ERROR_INSUFFICIENT_MEMORY"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_MEMORY</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>A key derivation algorithm takes some inputs and uses them to generate a byte stream in a deterministic way. This byte stream can be used to produce keys and other cryptographic material.</p>
<p>A key agreement and derivation algorithm uses a key agreement protocol to provide a shared secret which is used for the key derivation. See <a class="reference internal" href="ka.html#c.psa_key_derivation_key_agreement" title="psa_key_derivation_key_agreement"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_key_agreement()</span></code></a>.</p>
<p>To derive a key:</p>
<ol class="arabic simple">
<li>Start with an initialized object of type <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_key_derivation_operation_t</span></code></a>.</li>
<li>Call <a class="reference internal" href="#c.psa_key_derivation_setup" title="psa_key_derivation_setup"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_setup()</span></code></a> to select the algorithm.</li>
<li>Provide the inputs for the key derivation by calling <a class="reference internal" href="#c.psa_key_derivation_input_bytes" title="psa_key_derivation_input_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_bytes()</span></code></a> or <a class="reference internal" href="#c.psa_key_derivation_input_key" title="psa_key_derivation_input_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_key()</span></code></a> as appropriate. Which inputs are needed, in what order, whether keys are permitted, and what type of keys depends on the algorithm.</li>
<li>Optionally set the operation’s maximum capacity with <a class="reference internal" href="#c.psa_key_derivation_set_capacity" title="psa_key_derivation_set_capacity"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_set_capacity()</span></code></a>. This can be done before, in the middle of, or after providing inputs. For some algorithms, this step is mandatory because the output depends on the maximum capacity.</li>
<li>To derive a key, call <a class="reference internal" href="#c.psa_key_derivation_output_key" title="psa_key_derivation_output_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_key()</span></code></a>. To derive a byte string for a different purpose, call <a class="reference internal" href="#c.psa_key_derivation_output_bytes" title="psa_key_derivation_output_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_bytes()</span></code></a>. Successive calls to these functions use successive output bytes calculated by the key derivation algorithm.</li>
<li>Clean up the key derivation operation object with <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a>.</li>
</ol>
<p>If this function returns an error, the key derivation operation object is not changed.</p>
<p>If an error occurs at any step after a call to <a class="reference internal" href="#c.psa_key_derivation_setup" title="psa_key_derivation_setup"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_setup()</span></code></a>, the operation will need to be reset by a call to <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a>.</p>
<p>Implementations must reject an attempt to derive a key of size <code class="docutils literal"><span class="pre">0</span></code>.</p>
</div>
<div class="section" id="psa_key_derivation_get_capacity">
<span id="c.psa_key_derivation_get_capacity"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_get_capacity</span></code> (function)</h3>
<p>Retrieve the current capacity of a key derivation operation.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_get_capacity" title="psa_key_derivation_get_capacity">psa_key_derivation_get_capacity</a>(const <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                             size_t * capacity);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The operation to query.</dd>
<dt> <code class="docutils literal"><span class="pre">capacity</span></code></dt>
<dd>On success, the capacity of the operation.</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.
The maximum number of bytes that this key derivation can return is <code class="docutils literal"><span class="pre">(*capacity)</span></code>.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid: it must be active.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>The capacity of a key derivation is the maximum number of bytes that it can return. Reading <em>N</em> bytes of output from a key derivation operation reduces its capacity by at least <em>N</em>. The capacity can be reduced by more than <em>N</em> in the following situations:</p>
<ul class="simple">
<li>Calling <a class="reference internal" href="#c.psa_key_derivation_output_key" title="psa_key_derivation_output_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_key()</span></code></a> can reduce the capacity by more than the key size, depending on the type of key being generated. See  <a class="reference internal" href="#c.psa_key_derivation_output_key" title="psa_key_derivation_output_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_key()</span></code></a> for details of the key derivation process.</li>
<li>When the <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_key_derivation_operation_t</span></code></a> object is operating as a deterministic random bit generator (DBRG), which reduces capacity in whole blocks, even when less than a block is read.</li>
</ul>
</div>
<div class="section" id="psa_key_derivation_set_capacity">
<span id="c.psa_key_derivation_set_capacity"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_set_capacity</span></code> (function)</h3>
<p>Set the maximum capacity of a key derivation operation.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_set_capacity" title="psa_key_derivation_set_capacity">psa_key_derivation_set_capacity</a>(<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                             size_t capacity);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The key derivation operation object to modify.</dd>
<dt> <code class="docutils literal"><span class="pre">capacity</span></code></dt>
<dd>The new capacity of the operation. It must be less or equal to the operation’s current capacity.</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid: it must be active.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_ARGUMENT" title="PSA_ERROR_INVALID_ARGUMENT"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_ARGUMENT</span></code></a></dt>
<dd><code class="docutils literal"><span class="pre">capacity</span></code> is larger than the operation’s current capacity. In this case, the operation object remains valid and its capacity remains unchanged.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>The capacity of a key derivation operation is the maximum number of bytes that the key derivation operation can return from this point onwards.</p>
</div>
<div class="section" id="psa_key_derivation_input_bytes">
<span id="c.psa_key_derivation_input_bytes"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_input_bytes</span></code> (function)</h3>
<p>Provide an input for key derivation or key agreement.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_input_bytes" title="psa_key_derivation_input_bytes">psa_key_derivation_input_bytes</a>(<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                            <a class="reference internal" href="#c.psa_key_derivation_step_t" title="psa_key_derivation_step_t">psa_key_derivation_step_t</a> step,
                                            const uint8_t * data,
                                            size_t data_length);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The key derivation operation object to use. It must have been set up with <a class="reference internal" href="#c.psa_key_derivation_setup" title="psa_key_derivation_setup"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_setup()</span></code></a> and must not have produced any output yet.</dd>
<dt> <code class="docutils literal"><span class="pre">step</span></code></dt>
<dd>Which step the input data is for.</dd>
<dt> <code class="docutils literal"><span class="pre">data</span></code></dt>
<dd>Input data to use.</dd>
<dt> <code class="docutils literal"><span class="pre">data_length</span></code></dt>
<dd>Size of the <code class="docutils literal"><span class="pre">data</span></code> buffer in bytes.</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid for this input <code class="docutils literal"><span class="pre">step</span></code>. This can happen if the application provides a step out of order or repeats a step that may not be repeated.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_ARGUMENT" title="PSA_ERROR_INVALID_ARGUMENT"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_ARGUMENT</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li><code class="docutils literal"><span class="pre">step</span></code> is not compatible with the operation’s algorithm.</li>
<li><code class="docutils literal"><span class="pre">step</span></code> does not allow direct inputs.</li>
<li><code class="docutils literal"><span class="pre">data_length</span></code> is too small or too large for <code class="docutils literal"><span class="pre">step</span></code> in this particular algorithm.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_SUPPORTED" title="PSA_ERROR_NOT_SUPPORTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_SUPPORTED</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li><code class="docutils literal"><span class="pre">step</span></code> is not supported with the operation’s algorithm.</li>
<li><code class="docutils literal"><span class="pre">data_length</span></code> is is not supported for <code class="docutils literal"><span class="pre">step</span></code> in this particular algorithm.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_MEMORY" title="PSA_ERROR_INSUFFICIENT_MEMORY"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_MEMORY</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_STORAGE_FAILURE" title="PSA_ERROR_STORAGE_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_STORAGE_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_CORRUPT" title="PSA_ERROR_DATA_CORRUPT"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_CORRUPT</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_INVALID" title="PSA_ERROR_DATA_INVALID"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_INVALID</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>Which inputs are required and in what order depends on the algorithm. Refer to the documentation of each key derivation or key agreement algorithm for information.</p>
<p>This function passes direct inputs, which is usually correct for non-secret inputs. To pass a secret input, which is normally in a key object, call <a class="reference internal" href="#c.psa_key_derivation_input_key" title="psa_key_derivation_input_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_key()</span></code></a> instead of this function. Refer to the documentation of individual step types (<code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_xxx</span></code> values of type <a class="reference internal" href="#c.psa_key_derivation_step_t" title="psa_key_derivation_step_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_key_derivation_step_t</span></code></a>) for more information.</p>
<p>If this function returns an error status, the operation enters an error state and must be aborted by calling <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a>.</p>
</div>
<div class="section" id="psa_key_derivation_input_integer">
<span id="c.psa_key_derivation_input_integer"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_input_integer</span></code> (function)</h3>
<p>Provide a numeric input for key derivation or key agreement.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_input_integer" title="psa_key_derivation_input_integer">psa_key_derivation_input_integer</a>(<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                              <a class="reference internal" href="#c.psa_key_derivation_step_t" title="psa_key_derivation_step_t">psa_key_derivation_step_t</a> step,
                                              uint64_t value);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The key derivation operation object to use. It must have been set up with <a class="reference internal" href="#c.psa_key_derivation_setup" title="psa_key_derivation_setup"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_setup()</span></code></a> and must not have produced any output yet.</dd>
<dt> <code class="docutils literal"><span class="pre">step</span></code></dt>
<dd>Which step the input data is for.</dd>
<dt> <code class="docutils literal"><span class="pre">value</span></code></dt>
<dd>The value of the numeric input.</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid for this input <code class="docutils literal"><span class="pre">step</span></code>. This can happen if the application provides a step out of order or repeats a step that may not be repeated.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_ARGUMENT" title="PSA_ERROR_INVALID_ARGUMENT"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_ARGUMENT</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li><code class="docutils literal"><span class="pre">step</span></code> is not compatible with the operation’s algorithm.</li>
<li><code class="docutils literal"><span class="pre">step</span></code> does not allow numerical inputs.</li>
<li><code class="docutils literal"><span class="pre">value</span></code> is not valid for <code class="docutils literal"><span class="pre">step</span></code> in the operation’s algorithm.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_SUPPORTED" title="PSA_ERROR_NOT_SUPPORTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_SUPPORTED</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li><code class="docutils literal"><span class="pre">step</span></code> is not supported with the operation’s algorithm.</li>
<li><code class="docutils literal"><span class="pre">value</span></code> is not supported for <code class="docutils literal"><span class="pre">step</span></code> in the operation’s algorithm.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_MEMORY" title="PSA_ERROR_INSUFFICIENT_MEMORY"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_MEMORY</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_STORAGE_FAILURE" title="PSA_ERROR_STORAGE_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_STORAGE_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_CORRUPT" title="PSA_ERROR_DATA_CORRUPT"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_CORRUPT</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_INVALID" title="PSA_ERROR_DATA_INVALID"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_INVALID</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>Which inputs are required and in what order depends on the algorithm.
However, when an algorithm requires a particular order, numeric inputs usually come first as they tend to be configuration parameters.
Refer to the documentation of each key derivation or key agreement algorithm for information.</p>
<p>This function is used for inputs which are fixed-size non-negative integers.</p>
<p>If this function returns an error status, the operation enters an error state and must be aborted by calling <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a>.</p>
</div>
<div class="section" id="psa_key_derivation_input_key">
<span id="c.psa_key_derivation_input_key"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_input_key</span></code> (function)</h3>
<p>Provide an input for key derivation in the form of a key.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_input_key" title="psa_key_derivation_input_key">psa_key_derivation_input_key</a>(<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                          <a class="reference internal" href="#c.psa_key_derivation_step_t" title="psa_key_derivation_step_t">psa_key_derivation_step_t</a> step,
                                          <a class="reference internal" href="../keys/ids.html#c.psa_key_id_t" title="psa_key_id_t">psa_key_id_t</a> key);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The key derivation operation object to use. It must have been set up with <a class="reference internal" href="#c.psa_key_derivation_setup" title="psa_key_derivation_setup"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_setup()</span></code></a> and must not have produced any output yet.</dd>
<dt> <code class="docutils literal"><span class="pre">step</span></code></dt>
<dd>Which step the input data is for.</dd>
<dt> <code class="docutils literal"><span class="pre">key</span></code></dt>
<dd>Identifier of the key. The key must have an appropriate type for <code class="docutils literal"><span class="pre">step</span></code>, it must allow the usage <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_DERIVE" title="PSA_KEY_USAGE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_DERIVE</span></code></a> or <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_VERIFY_DERIVATION" title="PSA_KEY_USAGE_VERIFY_DERIVATION"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_VERIFY_DERIVATION</span></code></a> (see <a class="reference internal" href="#note">note</a>), and it must permit the algorithm used by the operation.</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid for this input <code class="docutils literal"><span class="pre">step</span></code>. This can happen if the application provides a step out of order or repeats a step that may not be repeated.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_HANDLE" title="PSA_ERROR_INVALID_HANDLE"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_HANDLE</span></code></a></dt>
<dd><code class="docutils literal"><span class="pre">key</span></code> is not a valid key identifier.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_PERMITTED" title="PSA_ERROR_NOT_PERMITTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_PERMITTED</span></code></a></dt>
<dd>The key has neither the <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_DERIVE" title="PSA_KEY_USAGE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_DERIVE</span></code></a> nor the <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_VERIFY_DERIVATION" title="PSA_KEY_USAGE_VERIFY_DERIVATION"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_VERIFY_DERIVATION</span></code></a> usage flag, or it does not permit the operation’s algorithm.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_ARGUMENT" title="PSA_ERROR_INVALID_ARGUMENT"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_ARGUMENT</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li><code class="docutils literal"><span class="pre">step</span></code> is not compatible with the operation’s algorithm.</li>
<li><code class="docutils literal"><span class="pre">step</span></code> does not allow key inputs of the given type, or does not allow key inputs at all.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_SUPPORTED" title="PSA_ERROR_NOT_SUPPORTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_SUPPORTED</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li><code class="docutils literal"><span class="pre">step</span></code> is not supported with the operation’s algorithm.</li>
<li>Key inputs of the given type are not supported for <code class="docutils literal"><span class="pre">step</span></code> in the operation’s algorithm.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_MEMORY" title="PSA_ERROR_INSUFFICIENT_MEMORY"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_MEMORY</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_STORAGE_FAILURE" title="PSA_ERROR_STORAGE_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_STORAGE_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_CORRUPT" title="PSA_ERROR_DATA_CORRUPT"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_CORRUPT</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_INVALID" title="PSA_ERROR_DATA_INVALID"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_INVALID</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>Which inputs are required and in what order depends on the algorithm. Refer to the documentation of each key derivation or key agreement algorithm for information.</p>
<p>This function obtains input from a key object, which is usually correct for secret inputs or for non-secret personalization strings kept in the key store. To pass a non-secret parameter which is not in the key store, call <a class="reference internal" href="#c.psa_key_derivation_input_bytes" title="psa_key_derivation_input_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_bytes()</span></code></a> instead of this function. Refer to the documentation of individual step types (<code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_xxx</span></code> values of type <a class="reference internal" href="#c.psa_key_derivation_step_t" title="psa_key_derivation_step_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_key_derivation_step_t</span></code></a>) for more information.</p>
<div class="admonition note" id="note">
<p class="first admonition-title">Note</p>
<p>Once all inputs steps are completed, the following operations are permitted:</p>
<ul class="last simple">
<li><a class="reference internal" href="#c.psa_key_derivation_output_bytes" title="psa_key_derivation_output_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_bytes()</span></code></a> — if each input was either a direct input or a key with usage flag <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_DERIVE" title="PSA_KEY_USAGE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_DERIVE</span></code></a>.</li>
<li><a class="reference internal" href="#c.psa_key_derivation_output_key" title="psa_key_derivation_output_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_key()</span></code></a> — if the input for step <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SECRET" title="PSA_KEY_DERIVATION_INPUT_SECRET"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SECRET</span></code></a> or <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_PASSWORD" title="PSA_KEY_DERIVATION_INPUT_PASSWORD"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_PASSWORD</span></code></a> was a key with usage flag <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_DERIVE" title="PSA_KEY_USAGE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_DERIVE</span></code></a>, and every other input was either a direct input or a key with usage flag <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_DERIVE" title="PSA_KEY_USAGE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_DERIVE</span></code></a>.</li>
<li><a class="reference internal" href="#c.psa_key_derivation_verify_bytes" title="psa_key_derivation_verify_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_verify_bytes()</span></code></a> — if each input was either a direct input or a key with usage flag <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_VERIFY_DERIVATION" title="PSA_KEY_USAGE_VERIFY_DERIVATION"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_VERIFY_DERIVATION</span></code></a>.</li>
<li><a class="reference internal" href="#c.psa_key_derivation_verify_key" title="psa_key_derivation_verify_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_verify_key()</span></code></a> — under the same conditions as <a class="reference internal" href="#c.psa_key_derivation_verify_bytes" title="psa_key_derivation_verify_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_verify_bytes()</span></code></a>.</li>
</ul>
</div>
<p>If this function returns an error status, the operation enters an error state and must be aborted by calling <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a>.</p>
</div>
<div class="section" id="psa_key_derivation_output_bytes">
<span id="c.psa_key_derivation_output_bytes"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_output_bytes</span></code> (function)</h3>
<p>Read some data from a key derivation operation.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_output_bytes" title="psa_key_derivation_output_bytes">psa_key_derivation_output_bytes</a>(<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                             uint8_t * output,
                                             size_t output_length);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The key derivation operation object to read from.</dd>
<dt> <code class="docutils literal"><span class="pre">output</span></code></dt>
<dd>Buffer where the output will be written.</dd>
<dt> <code class="docutils literal"><span class="pre">output_length</span></code></dt>
<dd>Number of bytes to output.</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.
The first <code class="docutils literal"><span class="pre">output_length</span></code> bytes of <code class="docutils literal"><span class="pre">output</span></code> contain the derived data.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid: it must be active, with all required input steps complete.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_PERMITTED" title="PSA_ERROR_NOT_PERMITTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_PERMITTED</span></code></a></dt>
<dd>One of the inputs was a key whose policy did not allow <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_DERIVE" title="PSA_KEY_USAGE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_DERIVE</span></code></a>.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_DATA" title="PSA_ERROR_INSUFFICIENT_DATA"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_DATA</span></code></a></dt>
<dd><p class="first">The operation’s capacity was less than <code class="docutils literal"><span class="pre">output_length</span></code> bytes. In this case, the following occurs:</p>
<ul class="last simple">
<li>No output is written to the output buffer.</li>
<li>The operation’s capacity is set to zero — subsequent calls to this function will not succeed, even with a smaller output buffer.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_MEMORY" title="PSA_ERROR_INSUFFICIENT_MEMORY"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_MEMORY</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_STORAGE_FAILURE" title="PSA_ERROR_STORAGE_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_STORAGE_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_CORRUPT" title="PSA_ERROR_DATA_CORRUPT"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_CORRUPT</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_INVALID" title="PSA_ERROR_DATA_INVALID"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_INVALID</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>This function calculates output bytes from a key derivation algorithm and returns those bytes. If the key derivation’s output is viewed as a stream of bytes, this function consumes the requested number of bytes from the stream and returns them to the caller. The operation’s capacity decreases by the number of bytes read.</p>
<p>If this function returns an error status other than <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_DATA" title="PSA_ERROR_INSUFFICIENT_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_DATA</span></code></a>, the operation enters an error state and must be aborted by calling <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a>.</p>
</div>
<div class="section" id="psa_key_derivation_output_key">
<span id="c.psa_key_derivation_output_key"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_output_key</span></code> (function)</h3>
<p>Derive a key from an ongoing key derivation operation.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_output_key" title="psa_key_derivation_output_key">psa_key_derivation_output_key</a>(const <a class="reference internal" href="../keys/attributes.html#c.psa_key_attributes_t" title="psa_key_attributes_t">psa_key_attributes_t</a> * attributes,
                                           <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                           <a class="reference internal" href="../keys/ids.html#c.psa_key_id_t" title="psa_key_id_t">psa_key_id_t</a> * key);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">attributes</span></code></dt>
<dd><p class="first">The attributes for the new key.
This function uses the attributes as follows:</p>
<ul>
<li><p class="first">The key type is required. It cannot be an asymmetric public key.</p>
</li>
<li><p class="first">The key size is required. It must be a valid size for the key type.</p>
</li>
<li><p class="first">The key permitted-algorithm policy is required for keys that will be used for a cryptographic operation, see <a class="reference internal" href="../keys/policy.html#permitted-algorithms"><span class="secref">Permitted algorithms</span></a>.</p>
<p>If the key type to be created is <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD_HASH" title="PSA_KEY_TYPE_PASSWORD_HASH"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD_HASH</span></code></a>, then the permitted-algorithm policy must be the same as the current operation’s algorithm.</p>
</li>
<li><p class="first">The key usage flags define what operations are permitted with the key, see <a class="reference internal" href="../keys/policy.html#key-usage-flags"><span class="secref">Key usage flags</span></a>.</p>
</li>
<li><p class="first">The key lifetime and identifier are required for a persistent key.</p>
</li>
</ul>
<div class="last admonition note">
<p class="first admonition-title">Note</p>
<p class="last">This is an input parameter: it is not updated with the final key attributes. The final attributes of the new key can be queried by calling <a class="reference internal" href="../keys/attributes.html#c.psa_get_key_attributes" title="psa_get_key_attributes"><code class="xref any c c-func docutils literal"><span class="pre">psa_get_key_attributes()</span></code></a> with the key’s identifier.</p>
</div>
</dd>
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The key derivation operation object to read from.</dd>
<dt> <code class="docutils literal"><span class="pre">key</span></code></dt>
<dd>On success, an identifier for the newly created key. <a class="reference internal" href="../keys/ids.html#c.PSA_KEY_ID_NULL" title="PSA_KEY_ID_NULL"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_ID_NULL</span></code></a> on failure.</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.
If the key is persistent, the key material and the key’s metadata have been saved to persistent storage.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid: it must be active, with all required input steps complete.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_PERMITTED" title="PSA_ERROR_NOT_PERMITTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_PERMITTED</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SECRET" title="PSA_KEY_DERIVATION_INPUT_SECRET"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SECRET</span></code></a> input step was neither provided through a key, nor the result of a key agreement.</li>
<li>One of the inputs was a key whose policy did not allow <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_DERIVE" title="PSA_KEY_USAGE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_DERIVE</span></code></a>.</li>
<li>The implementation does not permit creating a key with the specified attributes due to some implementation-specific policy.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_ALREADY_EXISTS" title="PSA_ERROR_ALREADY_EXISTS"><code class="docutils literal"><span class="pre">PSA_ERROR_ALREADY_EXISTS</span></code></a></dt>
<dd>This is an attempt to create a persistent key, and there is already a persistent key with the given identifier.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_DATA" title="PSA_ERROR_INSUFFICIENT_DATA"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_DATA</span></code></a></dt>
<dd><p class="first">There was not enough data to create the desired key. In this case, the following occurs:</p>
<ul class="last simple">
<li>No key is generated.</li>
<li>The operation’s capacity is set to zero — subsequent calls to this function will not succeed, even if they require less data.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_ARGUMENT" title="PSA_ERROR_INVALID_ARGUMENT"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_ARGUMENT</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The key type is invalid, or is an asymmetric public key type.</li>
<li>The key type is <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD_HASH" title="PSA_KEY_TYPE_PASSWORD_HASH"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD_HASH</span></code></a>, and the permitted-algorithm policy is not the same as the current operation’s algorithm.</li>
<li>The key size is not valid for the key type.</li>
<li>The key lifetime is invalid.</li>
<li>The key identifier is not valid for the key lifetime.</li>
<li>The key usage flags include invalid values.</li>
<li>The key’s permitted-usage algorithm is invalid.</li>
<li>The key attributes, as a whole, are invalid.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_SUPPORTED" title="PSA_ERROR_NOT_SUPPORTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_SUPPORTED</span></code></a></dt>
<dd>The key attributes, as a whole, are not supported, either by the implementation in general or in the specified storage location.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_MEMORY" title="PSA_ERROR_INSUFFICIENT_MEMORY"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_MEMORY</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_STORAGE" title="PSA_ERROR_INSUFFICIENT_STORAGE"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_STORAGE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_STORAGE_FAILURE" title="PSA_ERROR_STORAGE_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_STORAGE_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_CORRUPT" title="PSA_ERROR_DATA_CORRUPT"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_CORRUPT</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_INVALID" title="PSA_ERROR_DATA_INVALID"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_INVALID</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>This function calculates output bytes from a key derivation algorithm and uses those bytes to generate a key deterministically. The key’s location, policy, type and size are taken from <code class="docutils literal"><span class="pre">attributes</span></code>.</p>
<p>If the key derivation’s output is viewed as a stream of bytes, this function consumes the required number of bytes from the stream. The operation’s capacity decreases by the number of bytes used to derive the key.</p>
<p>If this function returns an error status other than <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_DATA" title="PSA_ERROR_INSUFFICIENT_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_DATA</span></code></a>, the operation enters an error state and must be aborted by calling <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a>.</p>
<p>How much output is produced and consumed from the operation, and how the key is derived, depends on the key type. <span><a class="reference internal" href="#std-key-derivation"><span class="numref">Table 5</span></a></span> describes the required key derivation procedures for standard key derivation algorithms. Implementations can use other methods for implementation-specific algorithms.</p>
<p>In all cases, the data that is read is discarded from the operation. The operation’s capacity is decreased by the number of bytes read.</p>
<table border="1" class="colwidths-given longtable docutils align-right" id="std-key-derivation">
<caption><span class="caption-number">Table 5 </span><span class="caption-text">Standard key derivation process</span></caption>
<colgroup>
<col width="29%" />
<col width="71%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Key type</th>
<th class="head">Key type details and derivation procedure</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><p class="first">AES</p>
<p>ARC4</p>
<p>ARIA</p>
<p>CAMELLIA</p>
<p>ChaCha20</p>
<p>SM4</p>
<p>Secrets for derivation</p>
<p>HMAC</p>
<p class="last">Password hashes</p>
</td>
<td><p class="first"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_AES" title="PSA_KEY_TYPE_AES"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_AES</span></code></a></p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_ARC4" title="PSA_KEY_TYPE_ARC4"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_ARC4</span></code></a></p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_ARIA" title="PSA_KEY_TYPE_ARIA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_ARIA</span></code></a></p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_CAMELLIA" title="PSA_KEY_TYPE_CAMELLIA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_CAMELLIA</span></code></a></p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_CHACHA20" title="PSA_KEY_TYPE_CHACHA20"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_CHACHA20</span></code></a></p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_SM4" title="PSA_KEY_TYPE_SM4"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_SM4</span></code></a></p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DERIVE" title="PSA_KEY_TYPE_DERIVE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DERIVE</span></code></a></p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_HMAC" title="PSA_KEY_TYPE_HMAC"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_HMAC</span></code></a></p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD_HASH" title="PSA_KEY_TYPE_PASSWORD_HASH"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD_HASH</span></code></a></p>
<p class="last">For key types for which the key is an arbitrary sequence of bytes of a given size, this function is functionally equivalent to calling <a class="reference internal" href="#c.psa_key_derivation_output_bytes" title="psa_key_derivation_output_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_output_bytes()</span></code></a> and passing the resulting output to <a class="reference internal" href="../keys/management.html#c.psa_import_key" title="psa_import_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_import_key()</span></code></a>. However, this function has a security benefit: if the implementation provides an isolation boundary then the key material is not exposed outside the isolation boundary. As a consequence, for these key types, this function always consumes exactly <code class="docutils literal"><span class="pre">(bits/8)</span></code> bytes from the operation.</p>
</td>
</tr>
<tr class="row-odd"><td>DES</td>
<td><p class="first"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DES" title="PSA_KEY_TYPE_DES"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DES</span></code></a>, 64 bits.</p>
<p>This function generates a key using the following process:</p>
<ol class="last arabic simple">
<li>Draw an 8-byte string.</li>
<li>Set/clear the parity bits in each byte.</li>
<li>If the result is a forbidden weak key, discard the result and return to step 1.</li>
<li>Output the string.</li>
</ol>
</td>
</tr>
<tr class="row-even"><td><p class="first">2-key 3DES</p>
<p class="last">3-key 3DES</p>
</td>
<td><p class="first"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DES" title="PSA_KEY_TYPE_DES"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DES</span></code></a>, 192 bits.</p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DES" title="PSA_KEY_TYPE_DES"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_DES</span></code></a>, 128 bits.</p>
<p>The two or three keys are generated by repeated application of the process used to generate a DES key.</p>
<p class="last">For example, for 3-key 3DES, if the first 8 bytes specify a weak key and the next 8 bytes do not, discard the first 8 bytes, use the next 8 bytes as the first key, and continue reading output from the operation to derive the other two keys.</p>
</td>
</tr>
<tr class="row-odd"><td><p class="first">Finite-field Diffie-Hellman keys</p>
<p class="last">ECC keys on a Weierstrass elliptic curve</p>
</td>
<td><p class="first"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_DH_KEY_PAIR" title="PSA_KEY_TYPE_DH_KEY_PAIR"><code class="docutils literal"><span class="pre">PSA_KEY_TYPE_DH_KEY_PAIR</span></code></a><code class="docutils literal"><span class="pre">(</span></code><code class="docutils literal"><span class="pre">dh_family</span></code><code class="docutils literal"><span class="pre">)</span></code> where <code class="docutils literal"><span class="pre">dh_family</span></code> designates any Diffie-Hellman family.</p>
<p><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_ECC_KEY_PAIR" title="PSA_KEY_TYPE_ECC_KEY_PAIR"><code class="docutils literal"><span class="pre">PSA_KEY_TYPE_ECC_KEY_PAIR</span></code></a><code class="docutils literal"><span class="pre">(</span></code><code class="docutils literal"><span class="pre">ecc_family</span></code><code class="docutils literal"><span class="pre">)</span></code> where <code class="docutils literal"><span class="pre">ecc_family</span></code> designates a Weierstrass curve family.</p>
<p>These key types require the generation of a private key which is an integer in the range [1, <em>N</em> - 1], where <em>N</em> is the boundary of the private key domain: <em>N</em> is the prime <em>p</em> for Diffie-Hellman, or the order of the curve’s base point for ECC.</p>
<p>Let <code class="docutils literal"><span class="pre">m</span></code> be the bit size of <em>N</em>, such that <code class="docutils literal"><span class="pre">2^m</span></code> &gt; <em>N</em> &gt;= <code class="docutils literal"><span class="pre">2^(m-1)</span></code>. This function generates the private key using the following process:</p>
<ol class="arabic simple">
<li>Draw a byte string of length <code class="docutils literal"><span class="pre">ceiling(m/8)</span></code> bytes.</li>
<li>If <code class="docutils literal"><span class="pre">m</span></code> is not a multiple of <code class="docutils literal"><span class="pre">8</span></code>, set the most significant <code class="docutils literal"><span class="pre">(8</span> <span class="pre">*</span> <span class="pre">ceiling(m/8)</span> <span class="pre">-</span> <span class="pre">m)</span></code> bits of the first byte in the string to zero.</li>
<li>Convert the string to integer <em>k</em> by decoding it as a big-endian byte string.</li>
<li>If <em>k</em> &gt; <em>N</em> - <code class="docutils literal"><span class="pre">2</span></code>, discard the result and return to step 1.</li>
<li>Output <em>k</em> + <code class="docutils literal"><span class="pre">1</span></code> as the private key.</li>
</ol>
<p>This method allows compliance to NIST standards, specifically the methods titled <em>Key-Pair Generation by Testing Candidates</em> in the following publications:</p>
<ul class="last simple">
<li><span><em>NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</em> <a class="reference internal" href="../../about.html#citation-sp800-56a"><span class="cite">[SP800-56A]</span></a></span> §5.6.1.1.4 for Diffie-Hellman keys.</li>
<li><a class="reference internal" href="../../about.html#citation-sp800-56a"><span class="cite">[SP800-56A]</span></a> §5.6.1.2.2 or <span><em>FIPS Publication 186-4: Digital Signature Standard (DSS)</em> <a class="reference internal" href="../../about.html#citation-fips186-4"><span class="cite">[FIPS186-4]</span></a></span> §B.4.2 for elliptic curve keys.</li>
</ul>
</td>
</tr>
<tr class="row-even"><td>ECC keys on a Montgomery elliptic curve</td>
<td><p class="first"><a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_ECC_KEY_PAIR" title="PSA_KEY_TYPE_ECC_KEY_PAIR"><code class="docutils literal"><span class="pre">PSA_KEY_TYPE_ECC_KEY_PAIR</span></code></a><code class="docutils literal"><span class="pre">(</span></code><a class="reference internal" href="../keys/types.html#c.PSA_ECC_FAMILY_MONTGOMERY" title="PSA_ECC_FAMILY_MONTGOMERY"><code class="docutils literal"><span class="pre">PSA_ECC_FAMILY_MONTGOMERY</span></code></a><code class="docutils literal"><span class="pre">)</span></code></p>
<p>This function always draws a byte string whose length is determined by the curve, and sets the mandatory bits accordingly. That is:</p>
<ul class="last simple">
<li>Curve25519 (<a class="reference internal" href="../keys/types.html#c.PSA_ECC_FAMILY_MONTGOMERY" title="PSA_ECC_FAMILY_MONTGOMERY"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ECC_FAMILY_MONTGOMERY</span></code></a>, 255 bits): draw a 32-byte string and process it as specified in <span><em>Elliptic Curves for Security</em> <a class="reference internal" href="../../about.html#citation-rfc7748"><span class="cite">[RFC7748]</span></a></span> <a class="reference external" href="https://tools.ietf.org/html/rfc7748.html#section-5">§5</a>.</li>
<li>Curve448 (<a class="reference internal" href="../keys/types.html#c.PSA_ECC_FAMILY_MONTGOMERY" title="PSA_ECC_FAMILY_MONTGOMERY"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ECC_FAMILY_MONTGOMERY</span></code></a>, 448 bits): draw a 56-byte string and process it as specified in <a class="reference internal" href="../../about.html#citation-rfc7748"><span class="cite">[RFC7748]</span></a> <a class="reference external" href="https://tools.ietf.org/html/rfc7748.html#section-5">§5</a>.</li>
</ul>
</td>
</tr>
<tr class="row-odd"><td><em>Other key types</em></td>
<td><p class="first">This includes <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_RSA_KEY_PAIR" title="PSA_KEY_TYPE_RSA_KEY_PAIR"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_RSA_KEY_PAIR</span></code></a>.</p>
<p class="last">The way in which the operation output is consumed is implementation-defined.</p>
</td>
</tr>
</tbody>
</table>
<p>For algorithms that take an input step <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_SECRET" title="PSA_KEY_DERIVATION_INPUT_SECRET"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_SECRET</span></code></a>, the input to that step must be provided with <a class="reference internal" href="#c.psa_key_derivation_input_key" title="psa_key_derivation_input_key"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_input_key()</span></code></a>. Future versions of this specification might include additional restrictions on the derived key based on the attributes and strength of the secret key.</p>
</div>
<div class="section" id="psa_key_derivation_verify_bytes">
<span id="c.psa_key_derivation_verify_bytes"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_verify_bytes</span></code> (function)</h3>
<p>Compare output data from a key derivation operation to an expected value.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_verify_bytes" title="psa_key_derivation_verify_bytes">psa_key_derivation_verify_bytes</a>(<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                             const uint8_t *expected_output,
                                             size_t output_length);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The key derivation operation object to read from.</dd>
<dt> <code class="docutils literal"><span class="pre">expected_output</span></code></dt>
<dd>Buffer containing the expected derivation output.</dd>
<dt> <code class="docutils literal"><span class="pre">output_length</span></code></dt>
<dd>Length ot the expected output. This is also the number of bytes that will be read.</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.
The output of the key derivation operation matches <code class="docutils literal"><span class="pre">expected_output</span></code>.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid: it must be active, with all required input steps complete.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_PERMITTED" title="PSA_ERROR_NOT_PERMITTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_PERMITTED</span></code></a></dt>
<dd>One of the inputs is a key whose policy does not permit <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_VERIFY_DERIVATION" title="PSA_KEY_USAGE_VERIFY_DERIVATION"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_VERIFY_DERIVATION</span></code></a>.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_SIGNATURE" title="PSA_ERROR_INVALID_SIGNATURE"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_SIGNATURE</span></code></a></dt>
<dd>The output of the key derivation operation does not match the value in <code class="docutils literal"><span class="pre">expected_output</span></code>.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_DATA" title="PSA_ERROR_INSUFFICIENT_DATA"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_DATA</span></code></a></dt>
<dd>The operation’s capacity was less than <code class="docutils literal"><span class="pre">output_length</span></code> bytes. In this case, the operation’s capacity is set to zero — subsequent calls to this function will not succeed, even with a smaller expected output length.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_MEMORY" title="PSA_ERROR_INSUFFICIENT_MEMORY"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_MEMORY</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_STORAGE_FAILURE" title="PSA_ERROR_STORAGE_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_STORAGE_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_CORRUPT" title="PSA_ERROR_DATA_CORRUPT"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_CORRUPT</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_INVALID" title="PSA_ERROR_DATA_INVALID"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_INVALID</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>This function calculates output bytes from a key derivation algorithm and compares those bytes to an expected value.
If the key derivation’s output is viewed as a stream of bytes, this function destructively reads <code class="docutils literal"><span class="pre">output_length</span></code> bytes from the stream before comparing them with <code class="docutils literal"><span class="pre">expected_output</span></code>.
The operation’s capacity decreases by the number of bytes read.</p>
<p>This is functionally equivalent to the following code:</p>
<pre class="literal-block">
uint8_t tmp[output_length];
<a class="reference internal" href="#c.psa_key_derivation_output_bytes" title="psa_key_derivation_output_bytes">psa_key_derivation_output_bytes</a>(operation, tmp, output_length);
if (memcmp(expected_output, tmp, output_length) != 0)
    return <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_SIGNATURE" title="PSA_ERROR_INVALID_SIGNATURE">PSA_ERROR_INVALID_SIGNATURE</a>;
</pre>
<p>However, calling <a class="reference internal" href="#c.psa_key_derivation_verify_bytes" title="psa_key_derivation_verify_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_verify_bytes()</span></code></a> works even if the key’s policy does not allow output of the bytes.</p>
<p>If this function returns an error status other than <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_DATA" title="PSA_ERROR_INSUFFICIENT_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_DATA</span></code></a> or <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_SIGNATURE" title="PSA_ERROR_INVALID_SIGNATURE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ERROR_INVALID_SIGNATURE</span></code></a>, the operation enters an error state and must be aborted by calling <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a>.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Implementations must make the best effort to ensure that the comparison between the actual key derivation output and the expected output is performed in constant time.</p>
</div>
</div>
<div class="section" id="psa_key_derivation_verify_key">
<span id="c.psa_key_derivation_verify_key"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_verify_key</span></code> (function)</h3>
<p>Compare output data from a key derivation operation to an expected value stored in a key.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_verify_key" title="psa_key_derivation_verify_key">psa_key_derivation_verify_key</a>(<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation,
                                           <a class="reference internal" href="../keys/ids.html#c.psa_key_id_t" title="psa_key_id_t">psa_key_id_t</a> expected);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The key derivation operation object to read from.</dd>
<dt> <code class="docutils literal"><span class="pre">expected</span></code></dt>
<dd><p class="first">A key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD_HASH" title="PSA_KEY_TYPE_PASSWORD_HASH"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD_HASH</span></code></a> containing the expected output.
The key must allow the usage <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_VERIFY_DERIVATION" title="PSA_KEY_USAGE_VERIFY_DERIVATION"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_VERIFY_DERIVATION</span></code></a>, and the permitted algorithm must match the operation’s algorithm.</p>
<p class="last">The value of this key is typically computed by a previous call to psa_key_derivation_output_key().</p>
</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.
The output of the key derivation operation matches the <code class="docutils literal"><span class="pre">expected</span></code> key value.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The operation state is not valid: it must be active, with all required input steps complete.</li>
<li>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_HANDLE" title="PSA_ERROR_INVALID_HANDLE"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_HANDLE</span></code></a></dt>
<dd><code class="docutils literal"><span class="pre">expected</span></code> is not a valid key identifier.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_NOT_PERMITTED" title="PSA_ERROR_NOT_PERMITTED"><code class="docutils literal"><span class="pre">PSA_ERROR_NOT_PERMITTED</span></code></a></dt>
<dd><p class="first">The following conditions can result in this error:</p>
<ul class="last simple">
<li>The key does not have the <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_VERIFY_DERIVATION" title="PSA_KEY_USAGE_VERIFY_DERIVATION"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_VERIFY_DERIVATION</span></code></a> flag, or it does not permit the requested algorithm.</li>
<li>One of the inputs is a key whose policy does not permit <a class="reference internal" href="../keys/policy.html#c.PSA_KEY_USAGE_VERIFY_DERIVATION" title="PSA_KEY_USAGE_VERIFY_DERIVATION"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_USAGE_VERIFY_DERIVATION</span></code></a>.</li>
</ul>
</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_SIGNATURE" title="PSA_ERROR_INVALID_SIGNATURE"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_SIGNATURE</span></code></a></dt>
<dd>The output of the key derivation operation does not match the value of the <code class="docutils literal"><span class="pre">expected</span></code> key.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_DATA" title="PSA_ERROR_INSUFFICIENT_DATA"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_DATA</span></code></a></dt>
<dd>The operation’s capacity was less than the length of the <code class="docutils literal"><span class="pre">expected</span></code> key. In this case, the operation’s capacity is set to zero — subsequent calls to this function will not succeed, even with a smaller expected key length.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_ARGUMENT" title="PSA_ERROR_INVALID_ARGUMENT"><code class="docutils literal"><span class="pre">PSA_ERROR_INVALID_ARGUMENT</span></code></a></dt>
<dd>The key type is not <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD_HASH" title="PSA_KEY_TYPE_PASSWORD_HASH"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD_HASH</span></code></a>.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_MEMORY" title="PSA_ERROR_INSUFFICIENT_MEMORY"><code class="docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_MEMORY</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_STORAGE_FAILURE" title="PSA_ERROR_STORAGE_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_STORAGE_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_CORRUPT" title="PSA_ERROR_DATA_CORRUPT"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_CORRUPT</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_DATA_INVALID" title="PSA_ERROR_DATA_INVALID"><code class="docutils literal"><span class="pre">PSA_ERROR_DATA_INVALID</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>This function calculates output bytes from a key derivation algorithm and compares those bytes to an expected value, provided as key of type <a class="reference internal" href="../keys/types.html#c.PSA_KEY_TYPE_PASSWORD_HASH" title="PSA_KEY_TYPE_PASSWORD_HASH"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_TYPE_PASSWORD_HASH</span></code></a>.
If the key derivation’s output is viewed as a stream of bytes, this function destructively reads the number of bytes corresponding to the length of the <code class="docutils literal"><span class="pre">expected</span></code> key from the stream before comparing them with the key value.
The operation’s capacity decreases by the number of bytes read.</p>
<p>This is functionally equivalent to exporting the <code class="docutils literal"><span class="pre">expected</span></code> key and calling <a class="reference internal" href="#c.psa_key_derivation_verify_bytes" title="psa_key_derivation_verify_bytes"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_verify_bytes()</span></code></a> on the result, except that it works when the key cannot be exported.</p>
<p>If this function returns an error status other than <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INSUFFICIENT_DATA" title="PSA_ERROR_INSUFFICIENT_DATA"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ERROR_INSUFFICIENT_DATA</span></code></a> or <a class="reference internal" href="../library/status.html#c.PSA_ERROR_INVALID_SIGNATURE" title="PSA_ERROR_INVALID_SIGNATURE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ERROR_INVALID_SIGNATURE</span></code></a>, the operation enters an error state and must be aborted by calling <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a>.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Implementations must make the best effort to ensure that the comparison between the actual key derivation output and the expected output is performed in constant time.</p>
</div>
</div>
<div class="section" id="psa_key_derivation_abort">
<span id="c.psa_key_derivation_abort"></span><h3><code class="docutils literal"><span class="pre">psa_key_derivation_abort</span></code> (function)</h3>
<p>Abort a key derivation operation.</p>
<pre class="literal-block">
<a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t">psa_status_t</a> <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort">psa_key_derivation_abort</a>(<a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t">psa_key_derivation_operation_t</a> * operation);
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">operation</span></code></dt>
<dd>The operation to abort.</dd>
</dl>
<p class="rubric">Returns: <a class="reference internal" href="../library/status.html#c.psa_status_t" title="psa_status_t"><code class="docutils literal"><span class="pre">psa_status_t</span></code></a></p>
<dl class="docutils">
<dt> <a class="reference internal" href="../library/status.html#c.PSA_SUCCESS" title="PSA_SUCCESS"><code class="docutils literal"><span class="pre">PSA_SUCCESS</span></code></a></dt>
<dd>Success.
The operation object can now be discarded or reused.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_BAD_STATE" title="PSA_ERROR_BAD_STATE"><code class="docutils literal"><span class="pre">PSA_ERROR_BAD_STATE</span></code></a></dt>
<dd>The library requires initializing by a call to <a class="reference internal" href="../library/library.html#c.psa_crypto_init" title="psa_crypto_init"><code class="xref any c c-func docutils literal"><span class="pre">psa_crypto_init()</span></code></a>.</dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_COMMUNICATION_FAILURE" title="PSA_ERROR_COMMUNICATION_FAILURE"><code class="docutils literal"><span class="pre">PSA_ERROR_COMMUNICATION_FAILURE</span></code></a></dt>
<dd></dd>
<dt> <a class="reference internal" href="../library/status.html#c.PSA_ERROR_CORRUPTION_DETECTED" title="PSA_ERROR_CORRUPTION_DETECTED"><code class="docutils literal"><span class="pre">PSA_ERROR_CORRUPTION_DETECTED</span></code></a></dt>
<dd></dd>
</dl>
<p class="rubric">Description</p>
<p>Aborting an operation frees all associated resources except for the <code class="docutils literal"><span class="pre">operation</span></code> object itself. Once aborted, the operation object can be reused for another operation by calling <a class="reference internal" href="#c.psa_key_derivation_setup" title="psa_key_derivation_setup"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_setup()</span></code></a> again.</p>
<p>This function can be called at any time after the operation object has been initialized as described in <a class="reference internal" href="#c.psa_key_derivation_operation_t" title="psa_key_derivation_operation_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_key_derivation_operation_t</span></code></a>.</p>
<p>In particular, it is valid to call <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a> twice, or to call <a class="reference internal" href="#c.psa_key_derivation_abort" title="psa_key_derivation_abort"><code class="xref any c c-func docutils literal"><span class="pre">psa_key_derivation_abort()</span></code></a> on an operation that has not been set up.</p>
</div>
</div>
<div class="section" id="support-macros">
<h2>10.6.4. Support macros</h2>
<div class="section" id="PSA_ALG_IS_KEY_DERIVATION_STRETCHING">
<span id="c.PSA_ALG_IS_KEY_DERIVATION_STRETCHING"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_IS_KEY_DERIVATION_STRETCHING</span></code> (macro)</h3>
<p>Whether the specified algorithm is a key-stretching or password-hashing algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_IS_KEY_DERIVATION_STRETCHING" title="PSA_ALG_IS_KEY_DERIVATION_STRETCHING">PSA_ALG_IS_KEY_DERIVATION_STRETCHING</a>(alg) \
    <em><a class="reference internal" href="../../overview/implementation.html#specification-defined-value"><span class="std std-ref">/* specification-defined value */</span></a></em>
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">alg</span></code></dt>
<dd>An algorithm identifier: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a>.</dd>
</dl>
<p class="rubric">Returns</p>
<p><code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is a key-stretching or password-hashing algorithm, <code class="docutils literal"><span class="pre">0</span></code> otherwise.
This macro can return either <code class="docutils literal"><span class="pre">0</span></code> or <code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is not a supported key derivation algorithm algorithm identifier.</p>
<p class="rubric">Description</p>
<p>A key-stretching or password-hashing algorithm is a key derivation algorithm that is suitable for use with a low-entropy secret such as a password.
Equivalently, it’s a key derivation algorithm that uses a <a class="reference internal" href="#c.PSA_KEY_DERIVATION_INPUT_PASSWORD" title="PSA_KEY_DERIVATION_INPUT_PASSWORD"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_KEY_DERIVATION_INPUT_PASSWORD</span></code></a> input step.</p>
</div>
<div class="section" id="PSA_ALG_IS_HKDF">
<span id="c.PSA_ALG_IS_HKDF"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_IS_HKDF</span></code> (macro)</h3>
<p>Whether the specified algorithm is an HKDF algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_IS_HKDF" title="PSA_ALG_IS_HKDF">PSA_ALG_IS_HKDF</a>(alg) <em><a class="reference internal" href="../../overview/implementation.html#specification-defined-value"><span class="std std-ref">/* specification-defined value */</span></a></em>
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">alg</span></code></dt>
<dd>An algorithm identifier: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a>.</dd>
</dl>
<p class="rubric">Returns</p>
<p><code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is an HKDF algorithm, <code class="docutils literal"><span class="pre">0</span></code> otherwise. This macro can return either <code class="docutils literal"><span class="pre">0</span></code> or <code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is not a supported key derivation algorithm identifier.</p>
<p class="rubric">Description</p>
<p>HKDF is a family of key derivation algorithms that are based on a hash function and the HMAC construction.</p>
</div>
<div class="section" id="PSA_ALG_IS_TLS12_PRF">
<span id="c.PSA_ALG_IS_TLS12_PRF"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_IS_TLS12_PRF</span></code> (macro)</h3>
<p>Whether the specified algorithm is a TLS-1.2 PRF algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_IS_TLS12_PRF" title="PSA_ALG_IS_TLS12_PRF">PSA_ALG_IS_TLS12_PRF</a>(alg) <em><a class="reference internal" href="../../overview/implementation.html#specification-defined-value"><span class="std std-ref">/* specification-defined value */</span></a></em>
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">alg</span></code></dt>
<dd>An algorithm identifier: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a>.</dd>
</dl>
<p class="rubric">Returns</p>
<p><code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is a TLS-1.2 PRF algorithm, <code class="docutils literal"><span class="pre">0</span></code> otherwise. This macro can return either <code class="docutils literal"><span class="pre">0</span></code> or <code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is not a supported key derivation algorithm identifier.</p>
</div>
<div class="section" id="PSA_ALG_IS_TLS12_PSK_TO_MS">
<span id="c.PSA_ALG_IS_TLS12_PSK_TO_MS"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_IS_TLS12_PSK_TO_MS</span></code> (macro)</h3>
<p>Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_IS_TLS12_PSK_TO_MS" title="PSA_ALG_IS_TLS12_PSK_TO_MS">PSA_ALG_IS_TLS12_PSK_TO_MS</a>(alg) <em><a class="reference internal" href="../../overview/implementation.html#specification-defined-value"><span class="std std-ref">/* specification-defined value */</span></a></em>
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">alg</span></code></dt>
<dd>An algorithm identifier: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a>.</dd>
</dl>
<p class="rubric">Returns</p>
<p><code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is a TLS-1.2 PSK to MS algorithm, <code class="docutils literal"><span class="pre">0</span></code> otherwise. This macro can return either <code class="docutils literal"><span class="pre">0</span></code> or <code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is not a supported key derivation algorithm identifier.</p>
</div>
<div class="section" id="PSA_ALG_IS_PBKDF2_HMAC">
<span id="c.PSA_ALG_IS_PBKDF2_HMAC"></span><h3><code class="docutils literal"><span class="pre">PSA_ALG_IS_PBKDF2_HMAC</span></code> (macro)</h3>
<p>Whether the specified algorithm is a PBKDF2-HMAC algorithm.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_ALG_IS_PBKDF2_HMAC" title="PSA_ALG_IS_PBKDF2_HMAC">PSA_ALG_IS_PBKDF2_HMAC</a>(alg) <em><a class="reference internal" href="../../overview/implementation.html#specification-defined-value"><span class="std std-ref">/* specification-defined value */</span></a></em>
</pre>
<p class="rubric">Parameters</p>
<dl class="docutils">
<dt> <code class="docutils literal"><span class="pre">alg</span></code></dt>
<dd>An algorithm identifier: a value of type <a class="reference internal" href="algorithms.html#c.psa_algorithm_t" title="psa_algorithm_t"><code class="xref any c c-type docutils literal"><span class="pre">psa_algorithm_t</span></code></a>.</dd>
</dl>
<p class="rubric">Returns</p>
<p><code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is a PBKDF2-HMAC algorithm, <code class="docutils literal"><span class="pre">0</span></code> otherwise. This macro can return either <code class="docutils literal"><span class="pre">0</span></code> or <code class="docutils literal"><span class="pre">1</span></code> if <code class="docutils literal"><span class="pre">alg</span></code> is not a supported key derivation algorithm identifier.</p>
</div>
<div class="section" id="PSA_KEY_DERIVATION_UNLIMITED_CAPACITY">
<span id="c.PSA_KEY_DERIVATION_UNLIMITED_CAPACITY"></span><h3><code class="docutils literal"><span class="pre">PSA_KEY_DERIVATION_UNLIMITED_CAPACITY</span></code> (macro)</h3>
<p>Use the maximum possible capacity for a key derivation operation.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_KEY_DERIVATION_UNLIMITED_CAPACITY" title="PSA_KEY_DERIVATION_UNLIMITED_CAPACITY">PSA_KEY_DERIVATION_UNLIMITED_CAPACITY</a> \
    <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>Use this value as the capacity argument when setting up a key derivation to specify that the operation will use the maximum possible capacity. The value of the maximum possible capacity depends on the key derivation algorithm.</p>
</div>
<div class="section" id="PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE">
<span id="c.PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE"></span><h3><code class="docutils literal"><span class="pre">PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE</span></code> (macro)</h3>
<p>This macro returns the maximum supported length of the PSK for the TLS-1.2 PSK-to-MS key derivation.</p>
<pre class="literal-block">
#define <a class="reference internal" href="#c.PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE" title="PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE">PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE</a> <em><a class="reference internal" href="../../overview/implementation.html#implementation-defined-value"><span class="std std-ref">/* implementation-defined value */</span></a></em>
</pre>
<p>This implementation-defined value specifies the maximum length for the PSK input used with a <a class="reference internal" href="#c.PSA_ALG_TLS12_PSK_TO_MS" title="PSA_ALG_TLS12_PSK_TO_MS"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_ALG_TLS12_PSK_TO_MS()</span></code></a> key agreement algorithm.</p>
<p>Quoting <span><em>Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)</em> <a class="reference internal" href="../../about.html#citation-rfc4279"><span class="cite">[RFC4279]</span></a></span> <a class="reference external" href="https://tools.ietf.org/html/rfc4279.html#section-5.3">§5.3</a>:</p>
<blockquote>
<div>TLS implementations supporting these cipher suites MUST support arbitrary PSK identities up to 128 octets in length, and arbitrary PSKs up to 64 octets in length. Supporting longer identities and keys is RECOMMENDED.</div></blockquote>
<p>Therefore, it is recommended that implementations define <a class="reference internal" href="#c.PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE" title="PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE"><code class="xref any c c-macro docutils literal"><span class="pre">PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE</span></code></a> with a value greater than or equal to <code class="docutils literal"><span class="pre">64</span></code>.</p>
</div>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper"><h3><a href="../../index.html"><b>PSA Crypto API</b></a></h3>
IHI 0086<br/>
Non-confidential<br/>
Version 1.1.0
<span style="color: red; font-weight: bold;"></span>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../about.html">About this document</a></li>
</ul>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../overview/intro.html">1. Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../overview/goals.html">2. Design goals</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../overview/functionality.html">3. Functionality overview</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../overview/sample-arch.html">4. Sample architectures</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../overview/conventions.html">5. Library conventions</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../overview/implementation.html">6. Implementation considerations</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../overview/usage.html">7. Usage considerations</a></li>
<li class="toctree-l1"><a class="reference internal" href="../library/index.html">8. Library management reference</a></li>
<li class="toctree-l1"><a class="reference internal" href="../keys/index.html">9. Key management reference</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">10. Cryptographic operation reference</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="algorithms.html">10.1. Algorithms</a></li>
<li class="toctree-l2"><a class="reference internal" href="hashes.html">10.2. Message digests (Hashes)</a></li>
<li class="toctree-l2"><a class="reference internal" href="macs.html">10.3. Message authentication codes (MAC)</a></li>
<li class="toctree-l2"><a class="reference internal" href="ciphers.html">10.4. Unauthenticated ciphers</a></li>
<li class="toctree-l2"><a class="reference internal" href="aead.html">10.5. Authenticated encryption with associated data (AEAD)</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">10.6. Key derivation</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#key-derivation-algorithms">10.6.1. Key derivation algorithms</a></li>
<li class="toctree-l3"><a class="reference internal" href="#input-step-types">10.6.2. Input step types</a></li>
<li class="toctree-l3"><a class="reference internal" href="#key-derivation-functions">10.6.3. Key derivation functions</a></li>
<li class="toctree-l3"><a class="reference internal" href="#support-macros">10.6.4. Support macros</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="sign.html">10.7. Asymmetric signature</a></li>
<li class="toctree-l2"><a class="reference internal" href="pke.html">10.8. Asymmetric encryption</a></li>
<li class="toctree-l2"><a class="reference internal" href="ka.html">10.9. Key agreement</a></li>
<li class="toctree-l2"><a class="reference internal" href="rng.html">10.10. Other cryptographic services</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../appendix/example_header.html">Example header file</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../appendix/encodings.html">Algorithm and key type encoding</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../appendix/specdef_values.html">Example macro implementations</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../appendix/sra.html">Security Risk Assessment</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../appendix/history.html">Changes to the API</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../psa_c-identifiers.html">Index of API elements</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <form class="search" action="../../search.html" method="get">
      <div><input type="text" name="q" /></div>
      <div><input type="submit" value="Go" /></div>
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="footer">
      &copy; 2018-2022, Arm Limited or its affiliates. All rights reserved.
      
      |
      Powered by <a href="http://sphinx-doc.org/">Sphinx 1.6.7</a>
      &amp; <a href="https://github.com/bitprophet/alabaster">Alabaster 0.7.8</a>
      
    </div>

    

    
  </body>
</html>